diff options
author | Katharina Fey <kookie@spacekookie.de> | 2018-07-02 00:02:22 +0200 |
---|---|---|
committer | Katharina Fey <kookie@spacekookie.de> | 2018-07-02 00:02:22 +0200 |
commit | 99ff8f0ebae37069de690936f79c4d599851f952 (patch) | |
tree | 06d33db20cdd065e74334fef20096806a5b4f5d9 | |
parent | d99d8bb4d9fb695f15256a8fe9a85136959e556b (diff) |
Big code change & refactoring commit
Move `token` into user module for lockchain-core. Start work on
a PAM authentication module which replaces the second layer
UserStore in API layer state (http being the only one for now).
This brings the `nix` and `pam-auth` dependencies, which unfortunately
currently don't work :(
-rw-r--r-- | Cargo.lock | 44 | ||||
-rw-r--r-- | lockchain-core/Cargo.toml | 3 | ||||
-rw-r--r-- | lockchain-core/src/auth.rs | 88 | ||||
-rw-r--r-- | lockchain-core/src/lib.rs | 5 | ||||
-rw-r--r-- | lockchain-core/src/traits.rs | 12 | ||||
-rw-r--r-- | lockchain-core/src/users/mod.rs (renamed from lockchain-core/src/users.rs) | 4 | ||||
-rw-r--r-- | lockchain-core/src/users/tokens.rs (renamed from lockchain-core/src/users/auth.rs) | 0 | ||||
-rw-r--r-- | lockchain-http/src/state.rs | 9 | ||||
-rw-r--r-- | lockchain-server/src/main.rs | 7 |
9 files changed, 160 insertions, 12 deletions
@@ -837,6 +837,8 @@ dependencies = [ "blake2 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", "chrono 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)", "keybob 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "nix 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)", + "pam-auth 0.5.4 (registry+https://github.com/rust-lang/crates.io-index)", "rand 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)", "serde 1.0.66 (registry+https://github.com/rust-lang/crates.io-index)", "serde_derive 1.0.66 (registry+https://github.com/rust-lang/crates.io-index)", @@ -1013,6 +1015,18 @@ dependencies = [ ] [[package]] +name = "nix" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "bitflags 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)", + "cc 1.0.17 (registry+https://github.com/rust-lang/crates.io-index)", + "cfg-if 0.1.3 (registry+https://github.com/rust-lang/crates.io-index)", + "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)", + "void 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)", +] + +[[package]] name = "nodrop" version = "0.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1052,6 +1066,24 @@ dependencies = [ ] [[package]] +name = "pam-auth" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)", + "pam-sys 0.5.5 (registry+https://github.com/rust-lang/crates.io-index)", + "users 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)", +] + +[[package]] +name = "pam-sys" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)", +] + +[[package]] name = "parking_lot" version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1780,6 +1812,14 @@ dependencies = [ ] [[package]] +name = "users" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)", +] + +[[package]] name = "utf8-ranges" version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1995,12 +2035,15 @@ source = "registry+https://github.com/rust-lang/crates.io-index" "checksum miow 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8c1f2f3b1cf331de6896aabf6e9d55dca90356cc9960cca7eaaf408a355ae919" "checksum miscreant 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "345b52b06ce7a0e2fab0a0ea99ef52e81d63102ba0425b2914f1867b9d820628" "checksum net2 0.2.32 (registry+https://github.com/rust-lang/crates.io-index)" = "9044faf1413a1057267be51b5afba8eb1090bd2231c693664aa1db716fe1eae0" +"checksum nix 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d37e713a259ff641624b6cb20e3b12b2952313ba36b6823c0f16e6cfd9e5de17" "checksum nodrop 0.1.12 (registry+https://github.com/rust-lang/crates.io-index)" = "9a2228dca57108069a5262f2ed8bd2e82496d2e074a06d1ccc7ce1687b6ae0a2" "checksum num-integer 0.1.39 (registry+https://github.com/rust-lang/crates.io-index)" = "e83d528d2677f0518c570baf2b7abdcf0cd2d248860b68507bdcb3e91d4c0cea" "checksum num-traits 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "630de1ef5cc79d0cdd78b7e33b81f083cbfe90de0f4b2b2f07f905867c70e9fe" "checksum num_cpus 1.8.0 (registry+https://github.com/rust-lang/crates.io-index)" = "c51a3322e4bca9d212ad9a158a02abc6934d005490c054a2778df73a70aa0a30" "checksum opaque-debug 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "d620c9c26834b34f039489ac0dfdb12c7ac15ccaf818350a64c9b5334a452ad7" "checksum owning_ref 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "cdf84f41639e037b484f93433aa3897863b561ed65c6e59c7073d7c561710f37" +"checksum pam-auth 0.5.4 (registry+https://github.com/rust-lang/crates.io-index)" = "786ab196f56a77935a235ec5d8f0bf1755343528a8699273a14ed4891be284e3" +"checksum pam-sys 0.5.5 (registry+https://github.com/rust-lang/crates.io-index)" = "a7710a1234438b6358315b14fc5f56c5af8f8b6d93515281053af5257ad848a6" "checksum parking_lot 0.5.5 (registry+https://github.com/rust-lang/crates.io-index)" = "d4d05f1349491390b1730afba60bb20d55761bef489a954546b58b4b34e1e2ac" "checksum parking_lot_core 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)" = "4db1a8ccf734a7bce794cc19b3df06ed87ab2f3907036b693c68f56b4d4537fa" "checksum pbkdf2 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "6d389750af68dcb6d6b2d6cf4aa234d2929b311a31a74aa8bb33e13a27784b8d" @@ -2085,6 +2128,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" "checksum unreachable 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "382810877fe448991dfc7f0dd6e3ae5d58088fd0ea5e35189655f84e6814fa56" "checksum untrusted 0.5.1 (registry+https://github.com/rust-lang/crates.io-index)" = "f392d7819dbe58833e26872f5f6f0d68b7bbbe90fc3667e98731c4a15ad9a7ae" "checksum url 1.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "f808aadd8cfec6ef90e4a14eb46f24511824d1ac596b9682703c87056c8678b7" +"checksum users 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)" = "e7d8fb16f17ce0e6a18a25ce39f08edb5fbe9a25f3f346c9dca5e6ffc0485cdf" "checksum utf8-ranges 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "662fab6525a98beff2921d7f61a39e7d59e0b425ebc7d0d9e66d316e55124122" "checksum uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)" = "e1436e58182935dcd9ce0add9ea0b558e8a87befe01c1a301e6020aeb0876363" "checksum vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)" = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a" diff --git a/lockchain-core/Cargo.toml b/lockchain-core/Cargo.toml index cfddc0f..87d3f65 100644 --- a/lockchain-core/Cargo.toml +++ b/lockchain-core/Cargo.toml @@ -14,6 +14,9 @@ serde_derive = "1.0" serde_json = "1.0" serde = "1.0" +nix = "0.11" +pam-auth = "0.5" + base64 = "0.8" bcrypt = "0.2" rand = "0.4" diff --git a/lockchain-core/src/auth.rs b/lockchain-core/src/auth.rs new file mode 100644 index 0000000..eceece0 --- /dev/null +++ b/lockchain-core/src/auth.rs @@ -0,0 +1,88 @@ +//! Provides an authentication module backed by PAM +//! +//! The way a user is authenticated is via the `lockchain` group +//! and a simple writing/ deleting of a lock file. + +use nix::sys::wait::*; +use nix::unistd::{fork, ForkResult}; + +use pam_auth::{self, Authenticator, PamError, Result as PamResult}; + +#[derive(Debug)] +pub enum AuthError { + FailedFork, + FailedPAM, + InvalidUser, + UserNotAuthorised, +} + +/// Simple way to authenticate a user for administrative actions +/// +/// Attempts to open a PAM session for the provided user/pw combination +/// then attempts to write to a tmpfile in the lockchain config directory. +/// If this action is successful the user is either the same running the +/// lockchain server *or* has access to the file via group permissions. +/// +/// This does rely on `lockchain` being properly configured on the server +/// i.e. not using public permissions for the configuration/ state directory. +/// +/// **Note** as of `lockchain v0.9.0` this function has not been implemented +/// yet due to issues in the `pam-auth` dependency. +#[allow(unused_variables)] +pub fn pam_authenticate(username: &str, password: &str) -> Result<(), AuthError> { + Err(AuthError::FailedPAM) + + + // match fork().map_err(|_| AuthError::FailedFork)? { + // ForkResult::Parent { child } => { + // waitpid(child, None).unwrap(); + // // kill(child, SIGKILL).expect("kill failed"); + // } + // ForkResult::Child => { + // let mut auth = Authenticator::new("lockchain").ok_or(AuthError::FailedPAM)?; + + // use std::error::Error; + // let service = "login"; + + // println!("Username: {}", username); + // println!("Password: {}", password); + // println!("Service: {}", service); + + // let mut auth = Authenticator::new(service).unwrap(); + // auth.set_credentials(username, password); + + // match auth.authenticate() { + // Ok(()) => println!("authenticate() OK!"), + // Err(e) => { + // println!("authenticate() FAILED!"); + // println!("{}", e.description()); + // println!("{:#?}", e.cause()); + // } + // } + + // match auth.open_session() { + // Ok(()) => println!("open_session() OK!"), + // Err(e) => { + // println!("open_session() FAILED!"); + // println!("{}", e.description()); + // println!("{:#?}", e.cause()); + // } + // } + + // auth.set_credentials(username, password); + // auth.authenticate().map_err(|_| AuthError::InvalidUser)?; + // auth.open_session().map_err(|_| AuthError::FailedPAM)?; + + // use std::process::Command; + // let output = Command::new("su") + // .arg(username) + // .output() + // .expect("failed to execute process"); + // println!("whoami: {:#?}", String::from_utf8(output.stdout).unwrap()); + + // ::std::process::exit(255); + // } + // } + + // Ok(()) +} diff --git a/lockchain-core/src/lib.rs b/lockchain-core/src/lib.rs index 465f145..2c5b0d7 100644 --- a/lockchain-core/src/lib.rs +++ b/lockchain-core/src/lib.rs @@ -1,7 +1,6 @@ //! Common library types used in lockchain crates #![feature(external_doc)] #![doc(include = "../README.md")] -#![feature(non_modrs_mods)] #[macro_use] extern crate serde_derive; @@ -13,6 +12,8 @@ extern crate base64; extern crate blake2; extern crate rand; extern crate keybob; +extern crate nix; +extern crate pam_auth; pub mod errors; pub mod traits; @@ -20,7 +21,9 @@ pub mod crypto; pub mod users; mod meta; mod record; +mod auth; pub use self::crypto::PackedData; pub use self::record::{Header, Payload, Record, EncryptedBody}; pub use self::meta::{MetaDomain, VaultMetadata}; +pub use self::auth::pam_authenticate;
\ No newline at end of file diff --git a/lockchain-core/src/traits.rs b/lockchain-core/src/traits.rs index 96a2034..4e66d8f 100644 --- a/lockchain-core/src/traits.rs +++ b/lockchain-core/src/traits.rs @@ -178,3 +178,15 @@ impl Base64AutoEncoder for String { String::from_utf8(base64::decode(base64).unwrap()).unwrap() } } + +impl Base64AutoEncoder for Vec<u8> { + /// Automatically encode this string to base64 + fn to_base64(&self) -> String { + base64::encode(self) + } + + /// Craft a string from an existing base64 string slice + fn from_base64(base64: &str) -> String { + String::from_utf8(base64::decode(base64).unwrap()).unwrap() + } +} diff --git a/lockchain-core/src/users.rs b/lockchain-core/src/users/mod.rs index ab40c43..29be002 100644 --- a/lockchain-core/src/users.rs +++ b/lockchain-core/src/users/mod.rs @@ -13,8 +13,8 @@ //! `User` is also a serialisable struct which contains important //! data to load and store them into a metadata store. -mod auth; -pub use self::auth::Token; +mod tokens; +pub use self::tokens::Token; use crypto::{encoding, hashing, random}; use std::collections::HashMap; diff --git a/lockchain-core/src/users/auth.rs b/lockchain-core/src/users/tokens.rs index e6e4854..e6e4854 100644 --- a/lockchain-core/src/users/auth.rs +++ b/lockchain-core/src/users/tokens.rs diff --git a/lockchain-http/src/state.rs b/lockchain-http/src/state.rs index 9a5b4ba..650660f 100644 --- a/lockchain-http/src/state.rs +++ b/lockchain-http/src/state.rs @@ -1,5 +1,4 @@ use lockchain::traits::{AutoEncoder, Body, FileIO, Vault}; -use lockchain::users::{User, UserStore}; use std::collections::HashMap; use std::marker::PhantomData; @@ -34,14 +33,14 @@ where #[doc(hidden)] pub vaults: HashMap<String, Option<V>>, #[doc(hidden)] - pub users: UserStore, - #[doc(hidden)] pub _phantom: PhantomData<B>, /// Signal if the API handlers are allowed outside their working dir pub bound_scope: bool, /// Provide a working directory pub working_dir: PathBuf, + /// Completely disabe administrative actions + pub administrative: bool, } impl<B, V> ApiState<B, V> @@ -88,7 +87,7 @@ where _phantom: PhantomData, bound_scope: true, vaults: HashMap::new(), - users: Default::default(), + administrative: false, ..Default::default() } } @@ -97,7 +96,6 @@ where #[derive(Serialize, Deserialize)] struct SerializedState { vaults: Vec<String>, - users: Vec<User>, } impl AutoEncoder for SerializedState {} @@ -112,7 +110,6 @@ where fn from(me: &'state ApiState<B, V>) -> Self { Self { vaults: me.vaults.iter().map(|(k, _)| k.clone()).collect(), - users: me.users.get_all().iter().map(|(_, v)| v.clone()).collect(), } } } diff --git a/lockchain-server/src/main.rs b/lockchain-server/src/main.rs index 8d3f3fd..1e4840f 100644 --- a/lockchain-server/src/main.rs +++ b/lockchain-server/src/main.rs @@ -14,11 +14,12 @@ fn main() { let state = ApiState::<EncryptedBody, DataVault<EncryptedBody>> { bound_scope: true, working_dir: ".".into(), + + // This is a dangerous option + administrative: true, ..Default::default() }; let server = create_server("localhost", "9999", state); - server.run(); - - // println!("After the server died!"); + server.unwrap().run(); } |